Welcome to my information security blog. I hope the information I publish and comments I provide can offer some insight, for better or worse, into current industry trends, technologies, and innovations.
One of the purposes for this blog is to encourage creative and constructive dialogue, so feel free to comment. If you do, please provide your name.
If you have any feedback or would like to contact me offline, don't hesitate to email me: mike[@]cloppert[.]org

2006-01-02

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY--FBI Recruiting IT Personnel(29 December 2005)The FBI has announced that it is seeking to hire Information Technology(IT) professionals for "critical IT positions;" interviews for computerscientists and engineers, IT specialists and IT project managers arescheduled to begin in January.http://www.computerworld.com/printthis/2005/0,4814,107390,00.htmlhttp://www.fbi.gov/pressrel/pressrel05/pr_it122305.htm

[Editor's Note (Schultz): The real issue for the FBI is not so muchrecruiting IT experts, but rather retaining them. Time-after-timeindustry, which often pays far more than does the FBI can, hires the"best and brightest" away from the FBI.]

The FBI has many challenges it is falling short in meeting, including a competitive salary structure. In my mind, the FBI's approach in hiring and personnel placement is at least as big of a problem as their inadequate salaries. Back in 2003, I was in the middle of the interview process for the FBI (round 2, I believe) when I was given the following information:

I would not know where I would be geographically placed until after my 16 weeks of training in Quantico, VA

I would not know my job duties until my first day on the job after my assignment was determined.

This meant that only after committing to a career at the FBI and agreeing to move my life to an indeterminate city would I be told what the rest of my career would hold. They could not tell me if I would be doing computer forensics, crime scene investigations, SWAT duties, or posing as 14-year-old Julie in an internet chat room. As much as I honestly wanted to work for the FBI, and do good work for my country, I couldn't risk sacrificing the years of experience and higher education I'd invested in Information Security to be a ballistics expert for the feds. Not that all of the jobs I've mentioned aren't important, but more important to me was my career. Until this gap is filled along with the salary problems, the FBI will continue to fall far short of the expertise it needs in the field.

In practice, these shortcomings are obvious. I have met a number of FBI special agents in my career in Information Security, and it's apparent that the people getting the security-related positions aren't adequately prepared for them. To a man (or woman), every agent I've worked with has been hardworking, intelligent, helpful, and willing to acknowledge where their training falls short. They really are talented individuals, but their knowledge has nearly always been inadequate for the type of important work they assume. It is an organizational problem in every regard, not an issue with the agents themselves.

The internal politics must also turn off more qualified analysts. In a recent meeting with two special agents representing my geographical area, I was informed that IP (intellectual property) issues were prioritized higher than issues like child pornography, fraud, and identity theft. While I have my own theories on why this is the case (it involves lobbyists from certain industries), the point is that it must be difficult to work under conditions where the country's political climate dictates your work priorities. I have great respect for individuals who can work and succeed in such an environment, but maintain that such an environment is just one more turn-off to highly-qualified individuals who can work elsewhere without such distractions.

It's important for the security of our country and its citizens that these issues be addressed by the FBI. Change is already afoot in this agency, let's hope it picks up steam and is implemented with speed uncharacteristic of the federal government.

About Me

I have been employed in various information technology fields since 1997, and in information security since 2001. I have an undergrad degree in Computer Engineering from the University of Dayton, received various industry certifications (GCIA, GREM, GCFA, etc.), and am currently pursuing a MS in Computer Science from George Washington University. I have lectured on various information security topics to IEEE, internal organization-wide IT conferences, and the annual Department of Defense Cybercrime Convention. My international work experience consists of training on general information security topics and IDS design/implementation onsite in Egypt, Israel, and India, as well as providing incident response assistance in the Far East. I have been a contributing editor to incident response procedures for two major organizations, and have been involved in digital forensic investigations since 2001. Currently, my work consists of security-related research and development, covering topics from vulnerability and exploit reverse engineering to implementation of security technologies, as well as digital forensics for an enterprise Computer Incident Response Team.